USA: The next attempt to ban end-to-end encryption is the LAED Act
Summary: With the LAED Act, Republican Senator Lindsey Graham has introduced a law that aims to ban end-to-end encryption. Learn more about the content and implications of the law.
What is the LAED Act?
The Acronym stands for Lawful Access to Encrypted Data. Essentially it is about introducing a decryption obligation for platforms and providers from the US. This should facilitate the work of law enforcement agencies. The official objective is to end the use of secure encryption so that “illegal behaviour” can no longer be disguised.
Applicability of the LAED Act
Once adopted, the law will cover both Data at Rest (for example, in a cloud storage) and Data in Transit (e.g. the communication between a device and the server that takes place when a website is accessed). Thus, Apple, for example, would not only have to help the FBI to break into an iPhone and read the data, but also make all communication that runs over this iPhone accessible.
Law enforcement agencies may use the LAED Act as the basis for their enquiries to technology companies in both criminal as well as national security legal processes.
The LAED Act is supposed to apply to companies that have more than 1 million users. This includes providers of operating systems, messenger apps, video conferencing software, email services such as cloud storage. Devices with at least 1 GB of memory also fall within the scope of the LAED Act. However, smaller companies can be forced to implement an “Assistance Capability Directive” which can be ordered by the Attorney General. In this context, an implementation schedule may also be requested.
What may have sounded like the dismantling of bureaucratic hurdles for law enforcement in the past can also be looked at from a different perspective. The Electronic Frontier Foundation, for example, warns that: This law requires the installation of backdoors.
Legislators assume that these backdoors – one could also call them vulnerabilities – are only used by authorities. In reality, based on various incidents in the past, it can be assumed that collecting vulnerabilities and setting up backdoors will make the Internet less secure for everyone. It is only a matter of time until people with criminal intentions get to these backdoors.
Anyone planning a crime can always switch to other networks or ensure a secure way of communication themselves. But ordinary citizens, who usually lack technical know-how, do not have this option and would be the victims of these surveillance systems.
Implications of the LAED Act
Apart from the dramatic impact, the LAED Act would have on the security of everyone it would particularly harm the US economy. Since the invention of the Internet, decentralized working has never been as important and widespread as now during the Corona pandemic. Secure teamwork - made possible with end-to-end encryption - is crucial for conducting business. The government is massively endangering business locations by depriving companies and organizations of their working basis.
Of course, this threat is not limited to those directly located in the United States. The LAED Act puts all users of services and devices at risk that are provided by US companies. Notoriously this includes almost all major platforms and operating systems.
Since the LAED Act also applies to Data in Transit, many critics of the law worry about HTTPS, the system that protects almost all web pages with TLS encryption. If the LAED Act were to come into force, there would be the necessity of a backdoor. Law enforcement agencies (and most likely hackers) would then gain access to all metadata exchanged between the device that visits and the server that hosts a website.
As things stand, providers of messenger apps from the US would probably have to remove their secure chat services from Apple and Google’s sales platforms, as they would no longer meet the security standards with the built-in backdoor. Hard disk encryption of devices would also have to be modified so that authorities can access them at any time.
LAED Act vs. EARN IT Act
Here in Europe, the EARN IT Act has so far received significantly more attention than the LAED Act. Whereby the latter has even more fatal consequences for private communication on the internet.
The EARN IT Act also deals with the prohibition of end-to-end encryption. However, in its current version, it offers a way out for companies that cannot or do not want to install backdoors. Nevertheless, this law is also a slap in the face of civil rights. We covered this topic here.
The LAED Act, on the other hand, does not even try to beat around the bush or - as with the EARN IT Act - provide an emotional justification for the far-reaching powers of law enforcement agencies. No, this bill clearly calls for the elimination of end-to-end encryption and the installation of backdoors.
LAED Act vs. GDPR
The contradictory approaches to the protection of personal data and private communications in the US and the European Union were again highlighted in the press by the so-called “Schrems 2-ruling”. After a complicated legal dispute involving Austrian data protection activist Max Schrems and Facebook, the ECJ overturned the Privacy Shield Agreement, which regulated data traffic between the EU and US for 4 years.
The reason for this ruling is that while in the EU data protection and the sovereignty of citizens over their data are the main focus, in the US private individuals, in theory, do not even have the legal structures to bring data breaches to court.
If the LAED Act were to come into force, legal practice in the two regions would therefore diverge even further. Companies subject to the data provisions of the European General Data Protection Regulations would no longer be able to exchange data with companies from the US. The same applies to the use of US services by private individuals.
What stage in the legislative process are we at?
As of November 2020
Senator Lindsey Graham introduced the bill on June 23rd, 2020 and submitted it to the Senate Judiciary Committee. We have no information as to when the Senate and House of Representatives plan to pass the bill. The current status of the legislative process can be followed here: S. 4051: Lawful Access to Encrypted Data Act.
Legislative procedures and practice of legal interpretation are different in the USA than in Germany. US courts are based on the so-called common law. They can influence legislation with their jurisdiction. As a result, the LAED Act could already have an effect, although the law has not yet been passed. Besides, Senator Lindsey Graham was able to defend his mandate in the November 2020 election and will thus certainly push the bill forward.
While implementing a back door is easy, it is impossible to allow its use only by "the good guys". As a civil society, we must be careful not to measure our standards by the behavior of criminals. The goal must be that the population can interact with each other without fear of reprisals.
We would like to recommend the Fight For The Future petition, which has already been signed by more than 500,000 people: Don't Let Congress Kill Encryption. Please also use social networks and personal conversations to draw attention to the enormous importance of end-to-end encryption for our freedom. American citizens can address their representative in Congress directly.